Wait a sec - the event showing when the account was created (624) should
contain information on who created the account. Likewise with the
password set, which would be a 628. When we change the local admin
password on our servers, these events are logged, and it tells us who
performed the action. See below for an example - I just created a test
account on my workstation and got the below event ID 624.
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 624
Date: 10/29/2008
Time: 7:04:52 AM
User: <Domain>\<username>
Computer: xxxxxxxx
Description:
User Account Created:
New Account Name: testadmin
New Domain: xxxxxxxx
New Account ID: xxxxxxxx\testadmin
Caller User Name: <username used>
Caller Domain: <Domain>
Caller Logon ID: (0x0,0x53444)
Privileges -
Hope this information helps. Object auditing is going to tell you if
the new account is accessing or doing anything to files/folders. The
naming convention for your account sounds extremely suspicious - I would
be concerned about a virus infection on that PC.
Thanks,
James Winzenz
Infrastructure Systems Engineer II - Security
Pulte Homes Information Services
________________________________
From: Clubber Lang [mailto:[EMAIL PROTECTED]
Sent: Tuesday, October 28, 2008 7:14 PM
To: NT System Admin Issues
Subject: Re: Unknown account created and added to local admins group
CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
material for the sole use of the intended recipient(s). Any review, use,
distribution or disclosure by others is strictly prohibited. If you have
received this communication in error, please notify the sender immediately by
email and delete the message and any file attachments from your computer.
Thank you.
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
